Hugh Thompson on Simplifying Security

The technology landscape in the past decade has changed in ways that are unprecedented, quickly causing legacy architectures and security paradigms to become defunct in dealing with a new breed of risks and threats. Companies considered low risk, which previously could make to with an antivirus solution and a firewall, now find their digital defenses under assault and breached. The game has changed. The focus in security needs to change, then, from the variables to the things that remain constant to enable continuous protection in a dynamic threat landscape says Dr. Hugh Thompson, CTO and Senior VP at Blue Coat - Sunnyvale, California-based provider of security and networking solutions.

"It is a very interesting time for security. Vendors with very similar messaging are vying for market share, and it is a sorting-out period for people in the security space," Thompson says. "How do we decide upon and measure the things that matter and the things that seem important at this point, but are fated to ebb and flow?"

Thompson proposes applying the statistical concept of "Degrees of Freedom." The idea is to find a model that can treat the changing landscape as a variable in an equation that can keep changing without affecting the final outcome of the equation.

The human element of security is one such constant, he says. However, with people, education and efforts at security awareness have largely been unsuccessful, and this is something he doesn't expect will change.

"I think there has been a huge amount of recidivism for people who have made bad choices, saw that they made the bad choice and still do it again the next day in a different context," he says.

In this broad-ranging interview with Information Security Media Group - the first of two parts -Thompson shares his opinion of the current landscape in security and lessons learned from all the changes that the industry has seen. Thompson also shares insight on:

Thompson is Chief Technology Officer and Senior Vice President at Blue Coat. Also Blue Coat's CMO, he has been with Blue Coat for three years. He has more than a decade of experience creating methodologies that help organizations build more secure systems and has co-authored three books on the topic. For the past five years, Thompson has served as the program committee chairman for RSA Conference, the world's largest information security gathering, where he is responsible for guiding the technical content at both the U.S. and European RSA Conferences. He also sits on the Editorial Board of IEEE Security and Privacy Magazine. Has written several technical books on computer security and has taught computer security at Columbia University for five years.

Edited excerpts from the conversation follow.

On Degrees of Freedom

VARUN HARAN: What is the most exciting thing in security today for you? What is the security philosophy that finds most resonance with you today?

DR. HUGH THOMPSON: Flexibility of security systems and degrees of freedom. This is a statistical concept and we are trying to indoctrinate it into the way we are looking at building our products and acquiring assets at Blue Coat. If you compare the security industry to any other, the amount of volatility that we have had, the changes in the types of technologies - something is important, then it loses significance, then it's important again, endpoint security is the prime example. You need to invest in security technologies and people that can adapt and rapidly onboard new tech, in an environment that is highly unstable.

At a philosophical level, it's about simplifying security, to things that are constant, and the things that we think may change. So degrees of freedom is a variable in an equation that can vary, but doesn't impact the final outcome of the equation. Blue Coat has taken that philosophy to heart - it is very open from a standards and API perspective. [See: Balancing Innovation with Risk]

It is a very interesting time for security. Vendors with very similar messaging are vying for market share, and it is a sorting out period for people in the security space. How do we decide upon and measure the things that matter and the things that seem important at this point but are fated to ebb and flow?

HARAN: Can you elaborate more on this idea of things that change and things that don't, what are some of the constants and variables in the security space that you have observed?

THOMPSON: There are constants in security, but there are multiple variables that change over time. The main driver for that, I think, is that the environment that we are in is so dynamic. In Asia in particular, you look at the penetration of smart phones. That was never envisioned when we designed the core security architectures 10 years ago.

Another interesting example is the idea around password resets. 20 years ago, it was a brilliant idea to do password resets using biographical questions like where you attended school, your mother's maiden name etc. Today if you had to make that decision, using biographical data is a terrible idea. People are more knowable at a distance than they ever have been at any point in the past. All this information is available as a digitized public record. In this industry, something that is at a point in time a great decision, could be a bad decision very quickly, as context and the environment changes.

One constant is the human element of security. I think people have and will continue to make security-oriented mistakes with technology. I don't see that changing. In security there has been a lot of effort to teach people about security hygiene, but I don't think that has been effective at all. I think there has been a huge amount of recidivism for people who have made bad choices, saw that they made the bad choice and still do it again the next day in a different context.

Attacker Profiles

HARAN: How have attackers diversified in this new landscape?

THOMPSON: I'd say cyber criminals are a distinct group, and in my head they are still cyber criminals - folks that are distinctly profit oriented. The tactics that they used have evolved from breaking in, smash and grab, to more innovative ways of monetizing data like ransomware. I'd say the cyber criminals are still after money, and their organizational maturity has changed.

Other group of attackers, like hacktivists, are a puzzle to some folks in security because it modifies the targeting. Companies that were hitherto not traditional targets of cyber-attacks find themselves very much at risk. Hacktivist attacks tend to be very loud and very public. Their goal is to embarrass the company and damage its reputation. This is a new vector companies are trying to cope with.

The nation-state attacks are a completely different animal, too, because they are the opposite of a hacktivist attack - their goal is to remain silent. They are usually after intellectual property or control, to establish a beachhead inside an organization's infrastructure. Very well-funded with lots of interesting people on the payroll.

Those three groups are redefining how security is being approached today.

Tech Evolution

HARAN: Articulate for me some of the developments in the technology space that are redefining security? Blue Coat has been at the center of a lot of M&A activity - could you walk us through some of the interesting ones?

THOMPSON: It's been a busy time for Blue Coat. The company has grown substantially in the past three year, since the company got taken private. Some of our acquisitions worth mentioning include the acquisition of Solera networks for their full packet capture, record, save to disk analytics tech. We also bought the Netronome's SSL decryption business, which is a high bandwidth, high throughput SSL decrypt services that can feed devices, package it back up and send it on. That is the highest growth area of our business - we can't make those boxes fast enough. I think it's because how quickly the world switched over to HTTPS. We bought Norman Shark for their sandboxing technology - to add their sandbox into our secure web gateway system.

There have been seismic changes in the security space in the last five years. Massive adoption of mobile device, massive connectivity of kinetic devices to the internet, and social media. I think there has been a sea change in attackers as well. Five years ago, a company without credit card or other monetizable information could have been considered relatively safe. The rise of hacktivism and nation state threats has changed targeting significantly.

All this has forced us to go back and reimagine a bunch of fundamental principles that were etched in stone in security.

Tune in for part II of this interview, where Hugh Thompson's shares his views on Breach Disclosure, the future of Security and where to invest your security dollar.

About the Author

Haran has been a technology journalist in the Indian market for over six years, covering the enterprise technology segment and specializing in information security. He has driven multiple industry events such as the India Computer Security Conferences (ICSC) and the first edition of the Ground Zero Summit 2013 during his stint at UBM. Prior to joining ISMG, Haran was first a reporter with TechTarget writing for SearchSecurity and SearchCIO; and later, correspondent with InformationWeek, where he covered enterprise technology-related topics for the CIO and IT practitioner.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.